Firewall Rule Deleted Via Netsh.EXE
Detects the removal of a port or application rule in the Windows Firewall configuration using netsh
Sigma rule (View on GitHub)
1title: Firewall Rule Deleted Via Netsh.EXE
2id: 1a5fefe6-734f-452e-a07d-fc1c35bce4b2
3status: test
4description: Detects the removal of a port or application rule in the Windows Firewall configuration using netsh
5references:
6 - https://app.any.run/tasks/8bbd5b4c-b82d-4e6d-a3ea-d454594a37cc/
7author: frack113
8date: 2022-08-14
9modified: 2025-10-07
10tags:
11 - attack.defense-evasion
12 - attack.t1562.004
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_img:
18 - Image|endswith: '\netsh.exe'
19 - OriginalFileName: 'netsh.exe'
20 selection_cli:
21 CommandLine|contains|all:
22 - 'firewall'
23 - 'delete '
24 filter_optional_dropbox:
25 ParentImage|endswith: '\Dropbox.exe'
26 CommandLine|contains: 'name=Dropbox'
27 filter_optional_avast:
28 ParentImage|endswith: '\instup.exe'
29 CommandLine|contains: 'advfirewall firewall delete rule name="Avast Antivirus Admin Client"'
30 condition: all of selection_* and not 1 of filter_optional_*
31falsepositives:
32 - Legitimate administration activity
33 - Software installations and removal
34level: medium
References
Related rules
- Uncommon New Firewall Rule Added In Windows Firewall Exception List
- New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
- New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
- All Rules Have Been Deleted From The Windows Firewall Configuration
- A Rule Has Been Deleted From The Windows Firewall Exception List